A method of communicating via a vehicle communication network includes providing an electronic control unit (ECU), the ECU including a main processing unit and a security processing unit, the security processing unit including a symmetric security key, attempting a secure boot of the main processing unit, providing use of the symmetric security key to the main processing unit if the secure boot of the main processing unit is successful, preventing use of the symmetric security key by the main processing unit if the secure boot of the main processing unit is not successful, conducting, via an attestation processing unit, a remote attestation of the main processing unit, and determining, via the attestation processing unit, whether the secure boot of the main processing unit was successful according to the remote attestation.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of communicating via a vehicle communication network, the method comprising: providing an electronic control unit (ECU), the ECU including a main processing unit and a security processing unit, the security processing unit including an electronic security processor, a security memory, and a symmetric security key stored in the security memory; wherein the main processing unit includes an electronic main processor and a main memory; attempting a secure boot of the main processing unit; providing use of the symmetric security key to the main processing unit if the secure boot of the main processing unit is successful; preventing use of the symmetric security key by the main processing unit if the secure boot of the main processing unit is not successful; conducting, via an attestation processing unit, a remote attestation of the main processing unit; and determining, via the attestation processing unit, whether the secure boot of the main processing unit was successful according to the remote attestation; wherein conducting the remote attestation includes the attestation processing unit sending a request for a computation using the symmetric security key to the main processing unit, determining that the main processing unit has completed the secure boot if the main processing unit provides a correct result of the computation involving the symmetric security key in response to the request, and determining that the main processing unit is not secure if the main processing unit does not provide the correct result of the computation involving the symmetric security key in response to the request.
2. The method of claim 1 , wherein the main processing unit is configured to use services of the security processing unit, and the main processing unit and the security processing unit are configured such that the main processing unit cannot read data directly from the security processing unit.
3. The method of claim 1 , wherein the ECU is configured as a gateway ECU.
4. The method of claim 1 , providing an anomaly detection system including an anomaly detection processor and anomaly detection memory; and providing an outcome of the remote attestation to the anomaly detection system.
5. The method of claim 1 , wherein conducting the remote attestation includes the main processing unit attempting to use the symmetric security key; and the security memory includes boot protection.
6. The method of claim 1 , wherein providing use of the symmetric security key to the main processing unit does not include providing the symmetric security key to the main processing unit.
7. The method of claim 1 , wherein the ECU is disposed in a vehicle, and the attestation processing unit is a remote processing unit disposed outside of the vehicle.
8. The method of claim 1 , including providing a second ECU, the second ECU including a second main processing unit and a second security processing unit; wherein the second ECU is configured to control operation of a vehicle system; the second ECU includes a second symmetric security key; the second main processing unit includes a second electronic main processor and second main memory; and the second security processing unit includes a second electronic security processor and a second security memory; attempting a secure boot of the second main processing unit; providing use of the second symmetric security key from the second security processing unit to the second main processing unit if the secure boot of the second main processing unit is successful; and preventing use of the second symmetric security key by the second main processing unit if the secure boot of the second main processing unit is not successful.
9. The method of claim 8 , wherein conducting the remote attestation includes the attestation processing unit sending a second request for a second computation using the second symmetric security key to the second main processing unit, determining that the second main processing unit has completed the secure boot if the second main processing unit provides a correct result of the second computation involving the second symmetric security key in response to the second request, and determining that the second main processing unit is not secure if the second main processing unit does not provide the correct result of the second computation involving the second symmetric security key in response to the second request.
10. The method of claim 8 , including determining, via the ECU, whether the secure boot of the second main processing unit was successful.
11. The method of claim 1 , wherein the method does not involve asymmetric security keys.
12. The method of claim 1 , wherein the remote attestation does not include communicating the symmetric security key to the attestation processing unit.
13. The method of claim 1 , wherein the security processing unit is secure hardware extension compliant.
14. The method of claim 1 , including providing a plurality of secondary ECUs, the secondary ECUs each including a secondary main processing unit and a secondary security processing unit associated with the secondary main processing unit; wherein each secondary ECU is configured to control operation of a respective vehicle system of a plurality of vehicle systems; and each secondary ECU includes a respective symmetric security key; attempting a secure boot of the secondary main processing unit of at least two of the plurality of secondary ECUs; providing, for each secondary main processing unit that successfully completed the secure boot, use of the respective security key of the associated security processing unit; and preventing, for each secondary main processing unit that failed to successfully complete the secure boot, use of the respective security key of the associated security processing unit wherein each secondary main processing unit includes a respective electronic secondary main processor and secondary main memory; and each secondary security processing unit includes a respective electronic secondary security processor and second security memory.
15. The method of claim 14 , wherein the symmetric security key and all of the respective symmetric security keys are different from each other.
16. The method of claim 14 , wherein the plurality of vehicle systems includes a brake system, a transmission, and an infotainment system.
17. The method of claim 1 , wherein the remote attestation is conducted at least one of periodically and with vehicle start.
18. A vehicle communication network, comprising: an electronic control unit (ECU) disposed in a vehicle, the ECU including a main processing unit configured for a secure boot, the main processing unit including an electronic main processor and a main memory; and a security processing unit including a security processor, a security memory, and a symmetric security key stored in the security memory, the security processing unit configured to (i) provide use of the symmetric security key to the main processing unit if the secure boot of the main processing unit is successful, and (ii) prevent use of the symmetric security key by the main processing unit if the secure boot of the main processing unit is not successful; and an attestation processing unit including an electronic attestation processor and attestation memory, the attestation processing unit configured to conduct a remote attestation of the main processing unit and configured to determine whether the secure boot of the main processing unit was successful according to the remote attestation; wherein conducting the remote attestation includes the attestation processing unit sending a request for a computation using the symmetric security key to the main processing unit, determining that the secure boot of the main processing unit was successful if the main processing unit provides a correct result of the computation involving the symmetric security key in response to the request, and determining that the main processing unit is not secure if the main processing unit does not provide the correct result of the computation involving the symmetric security key in response to the request.
19. The vehicle communication network of claim 18 , including a plurality of secondary ECUs, the secondary ECUs each including a secondary main processing unit and a secondary security processing unit associated with the secondary main processing unit; wherein each secondary ECU is configured to control operation of a respective vehicle system of a plurality of vehicle systems; each secondary security processing unit includes a respective symmetric security key; and each secondary security processing unit is configured to provide use of the respective security key to the secondary main processing unit associated with the secondary security processing unit only if the secondary main processing unit associated with the secondary security processing unit completes a secure boot; each secondary main processing unit includes a respective electronic secondary main processor and secondary main memory; and each secondary security processing unit includes a respective electronic secondary security processor and second security memory.
20. A method of vehicle communication, the method comprising: detecting, via an anomaly detection system, that an anomaly is present in a communication network of a vehicle; determining, via the anomaly detection system, that an electronic control unit (ECU) is responsible for the anomaly, the ECU including a main processing unit and a security processing unit, the security processing unit including an electronic security processor, a security memory, and a symmetric security key stored in the security memory; attempting a secure boot of the main processing unit after determining that the ECU is responsible for the anomaly; providing use of the symmetric security key from the security processing unit to the main processing unit if the secure boot of the main processing unit is successful; preventing use of the symmetric security key by the main processing unit if the secure boot of the main processing unit is not successful; conducting, via an attestation processing unit, a remote attestation of the main processing unit; and determining, via the attestation processing unit, whether the secure boot of the main processing unit was successful according to the remote attestation; wherein conducting the remote attestation includes the attestation processing unit sending a request for a computation using the symmetric security key to the main processing unit, determining that the secure boot of the main processing unit was successful if the main processing unit provides a correct result of the computation involving the symmetric security key in response to the request, and determining that the secure boot of the main processing unit was not successful if the main processing unit does not provide the correct result of the computation involving the symmetric security key in response to the request.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 30, 2018
November 17, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.